John Coghlan, the new CEO of Visa USA recently spoke at a conference on cardholder security and called for tougher data protection laws, including a requiremnet to notify affected individuals of security/privacy incidents. This is a bit surprising, given that Visa USA recently argued in court that they shouldn't have to notify cardholders of such incidents (The Canadian Privacy Law Blog: Credit card companies head to court over disclosure obligation). For reporting on Coghlan's speech, see: Visa CEO calls for data protection laws, incentives | InfoWorld | News | 2005-10-05 | By Grant Gross, IDG News Service.
Additional coverage here: Visa Hosts Industry Leaders at First Security Summit: Financial News - Yahoo! Finance.
While it may appear a bit counter-intuitive, companies with robust policies and procedures should be calling for mandatory notification since their more lax competitors will be shown as not doing enough to protect personal information. And that's good for the companies that are proactive about security and privacy.